Technology is evolving like never before bringing with it so called artificial intelligence (AI) and huge increases in computing power that are set to deliver all manner of improvements for the human race, for example, new breakthroughs in healthcare and fighting disease. However, powerful new technology can equally be used for malign purposes, bringing increased threats. From fraudulent financial transactions to misinformation that puts soldiers’ lives at risk, AI is fuelling the latest attack vectors against nation states, government departments, and enterprises alike.
A growing number of FTSE companies have been subjected to convincing impersonation-based attacks attempting fraud, with five attacks on FTSE 100 companies and one on a FTSE 250 reported so far this year, and this is probably just the tip of the iceberg. AI has been used to generate deepfake clones of CEOs that then instruct employees to transfer money for a deal that requires speed and secrecy – a takeover for example. The attacks, which typically use a mix of unmonitored and insecure instant messaging (e.g. WhatsApp) and voice calls using the cloned voice, are now so prevalent they have been dubbed the ‘CEO scam’.
While the reporting of these cases focuses on the financial fraud aspects of impersonation-based attacks, it is not difficult to see how this technology could be put to even more nefarious purposes. For example, nation states looking to subvert the democratic political process, disrupt critical national infrastructure, or gain military intelligence. Indeed, only a few weeks ago the then Foreign Secretary, David Cameron, was the victim on of a hoax video call from someone pretending to be the former Ukrainian President Petro Proshenko with whom he’d had numerous face-to-face meetings. Fortunately Mr Cameron thought something was amiss when sensitive information was requested and so finished the call.
With the growth of AI, impersonation-based attacks using deepfakes will become more commonplace and even more believable. This is reinforced by an assessment from the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) https://www.ncsc.gov.uk/news/global-ransomware-threat-expected-to-rise-with-ai which reports that the growth and accessibility of AI will rapidly increase the number and believability of ransomware and other attacks. As AI gathers momentum so the barrier to entry is lowered meaning that relatively unskilled threat actors such as novice cyber criminals, hackers-for-hire and hacktivists are able to carry out more effective attacks.
So what can organisations do to protect themselves from what is fast becoming a new attack vector?
Tackling Deepfakes and other Impersonation-based attacks
Eventually people will become better able to spot deepfakes, in the same way that most of us don’t believe every photo we see, knowing that it is all too easy to manipulate images using software. However, there is an immediate need for organisations to do everything they can to protect themselves and their employees from becoming victims of this newest threat.
Increasingly, authenticating the source of news, content, and all manner of communications is critical. Being able to trust that you are communicating with the genuine person (and not an impostor) will be a key to safety online, and for any type of transaction, whether that is taking financial or legal instructions from colleagues or customers, sharing commercially sensitive information with third-parties in the supply chain, or discussing matters of state with trusted advisors and co-workers.
Identity-based Encryption will help to mitigate the risk
Technology is already available to protect sensitive business communications via voice, instant messaging and video conferencing. Secure communication solutions that use identity-based encryption, such as the NCSC’s MIKEY-SAKKE protocol https://www.ncsc.gov.uk/information/the-development-of-mikey-sakke, help organisations to verify that only approved participants can join a group call or chat group, meaning that everyone on a video conference call (for example) has been authenticated. This type of security feature is NOT provided by mass-adoption communication platforms, where very often all that it needed to set up an account is a mobile phone number or email address, and those are very easily spoofed, hacked or compromised (e.g. by SIM-swapping).
For protecting the most sensitive of conversations, such as state secrets, military movements, or government negotiations, there are highly secure, on-premises communications solutions that can be used. By running an on-premises solution organisations significantly reduce the potential attack vectors, as well as keeping total control of every aspect of their sensitive communications,
However, every organisation has important information that they would not like to fall into the wrong hands, for example, price lists, customer details, product formulae, legal or financial instructions from clients, clinical or pharmaceutical research findings, patient records, amongst many other things. All organisations can benefit from using a secure communications platform to protect corporate assets and intellectual property.
Whether deployed on-premises (on in-house servers), or as a secure hosted solution, an enterprise-grade secure comms platform that covers voice calls, instant messaging and video conferencing ensures UK data sovereignty, i.e. organisational data stays on sovereign soil (something that Microsoft has recently admitted it can’t guarantee, even for UK Government users) and data separation (no mixing of data, be that of different classifications of data, or business and personal).
As this recent proliferation of impersonation-based attacks demonstrates all too vividly, organisations of every shape and size in both public and commercial sectors need to start taking the cyber security of their communications seriously. This means banning the use of unsanctioned shadow IT for business purposes. When a built-for-purpose, Secure by Design secure comms platform can provide a slick user experience to rival any consumer app, plus the ability to manage and control organisational data, there is really no need to use consumer-grade apps.